Saturday, November 29, 2008

The Corporate Data Cover-Up

Data hackers are silently infesting corporate organisations and creating an invisible battlefield, but so many Boards of Directors will not admit to their vulnerabilities and weaknesses.

Not long ago, a senior executive from one of corporate America’s large bellwether stocks received a telephone call from law enforcement explaining that the company had a major software vulnerability in its corporate web site. The agent described the vulnerability and its location in great detail, and requested that it be fixed immediately but he refused to disclose how he had come to know about it.

At the executive’s request, the organisation’s chief information security officer (CISO) investigated the matter, confirmed the flaw and fixed it. Through forensics, the CISO discovered that a foreign Government had penetrated the organisation’s applications infrastructure, and was in a position to bring it down whenever the time was deemed right...

The invisible battlefield

Cyber security is no longer just the job of the IT Department. As this true story highlights, cyber crime today is played out on a silent, invisible battlefield. The anonymity and universal access of cyberspace makes cyber crime attractive and easy. If customers, partners and employees can access sensitive systems from anywhere in the world, then the same pathway to the core infrastructure and priceless data exists for hackers.

Defending against cyber crime is costing billions of dollars. According to analyst the Gartner Group, organisations worldwide spent $288 billion on information security products in 2007 alone. The US Government is allocating $7.9 billion in 2009 for cyber security, which is $103 out of every $1,000 requested for IT spending (and up 75% from 2004). Last year, US companies spent $79 billion in this area.

Is all this investment making an impact? The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities. Between 2001 and 2007, 180 million credit card records were stolen.

The Washington Post reported that, by August 2008, the number of successful data breaches had surpassed all breaches from last year.

What’s not working? Businesses build applications to store, process and transact money and data for the sake of efficiency, but all-too-often fail to properly defend them. As business modernises, software security hasn’t followed suit. Hackers have sniffed out the weaknesses. Traditional cyber defensive measures - including the usual firewalls and anti-virus solutions don’t protect against data breaches.

A new business imperative

The days of hacking for fun are over. The new face of cyber crime has evolved in two ways. First, foreign Governments are also after intellectual property, particularly in the military domain, and the Internet is their portal into the applications and databases that hold these secrets.

Countries such as China, for example, have now become proficient in the art of cyber warfare and cyber espionage after setting up specific hacking centres to this end. North Korea, on the other hand, has invested in a hacking school from which about 100 hackers ‘graduate’ each year, while Russia fetes its cyber-savvy practitioners as national heroes.

The rationale is simple. Why invest vast sums in conventional weapons or risk international scandal if spies are discovered when, in this day and age, such operations may be conducted quietly online?

Second, the amount of money that can be made from online fraud and theft at relatively little risk compared to operations in the physical world inevitably makes such undertakings attractive. This means that both individuals ‘on the make’ and organised crime gangs are now becoming involved.

A very sophisticated industry is also developing around this pursuit. Consider how the opponent has mobilised. In recent years, a growing number of hacker match-making web sites have sprung up. These act in a similar fashion to a brokerage firm and bring people with a range of different skills together to target their chosen organisations more effectively.

There are also various web sites that publish software vulnerabilities and make the hackers’ job far easier. Hackers are also prone to developing and then selling automated hacking tools.

Business Software Assurance

The Achilles’ heel that has allowed this evolution is that applications are only as good as the software developers who wrote them - and most of those developers are not responsible for security.

So what can organisations do to protect themselves more effectively from the ever-present hacking threat?

The first thing is to adopt a Business Software Assurance (BSA) approach for information security. BSA offers a good foundation for understanding what threats and vulnerabilities could impact the business, and what the likelihood is of problems occurring.

BSA involves introducing a formal methodology to help determine what the real risks are. This enables businesses to focus on their true needs by formally documenting processes in order to ensure that issues don’t end up falling through the cracks.

As part of the BSA process, it’s crucial to gain an understanding of just how exposed the organisation’s systems can be. The aim is to remove any flaws from the code so as to make it impenetrable to attack. More importantly, it’s about adopting an inside-out strategy that tackles root causes as opposed to simply employing outside in tactics that involve putting a protective wall around the problem.

The New World Economy

As the world has moved online, it has brought all of its vices with it. An entire economy has sprung up on the World Wide Web to support and feed a cycle of fraud and theft that leeches untold strategic and monetary value from supposedly safe data warehouses, and costs further billions to defend against - generally speaking with limited effect.

The only path out of this reckless cycle is a strategy that focuses not only on the criminals coveting your organisation’s data, but the vulnerabilities in your software infrastructure that they turn against you.